AW: Winbind authenticatition of user accessing a share with encrypted password.
Hi, I have not installed samba until 2.2.5 now. But there is a bug in the winbindd code which has been fixed by Mike Gerdts, see attached e-mail. I assumed that this patch, wich works for me on samba 2.2.4 solaris 2.6, has been added to the 2.2.5 release. Obviously not. Re: Samba, winbind, solaris and your patch Could you please give me feedback if this works for you an 2.2.5 also. Best Regards Roman -Ursprüngliche Nachricht- Von: Allan Nielsen [SMTP:[EMAIL PROTECTED]] Gesendet am: Donnerstag, 27. Juni 2002 09:53 An: [EMAIL PROTECTED] Betreff: Winbind authenticatition of user accessing a share with encrypted password. Hi In relation to your posted message I have exactly the same problem on samba 2.2.5. Flags used are --with-winbind --with-winbind-auth-challenge --with-acl-support. After including --with-winbind-auth-challenge it is possible to get authentication with encrypted passwords from wbinfo -a user%password but when accessing a share as this user he is mapped to nobody. Did you succeed to solve your problem? I'm using samba now for 6-7 years starting with samba 1.9.18. I have 6 machines running samba v2.0.7 under linux and solaris I have upgraded one of the solaris machines to samba 2.2.3a including acl-support and winbind. I live in a win2k forest, so my domain has a trust relationship with an other win2k domain. My domain controllers are in mixed mode. In order to get winbindd and nsswitch up and running I had to adjust the Makefile as follows: nsswitch/libnss_winbind.so: $(WINBIND_NSS_PICOBJS) @echo Linking $@ @$(SHLD) -h $@ -G -o $@ $(WINBIND_NSS_PICOBJS) $(LIBS) I added the $(LIBS) to the linker-line, without that I had errors when doing a 'ls -l' for a file which was owned by a DOMAIN+domuser account. Furthermore I had to copy the nsswitch/libnss_winbind.so as nss_winbind.so to /lib After configuring nsswitch.conf I can successfully do: wbinfo -u wbinfo -g getent passwd getent group From a NT4 or win2k-box I can modify acl an the samba-share as long as I use a useraccount which is not authenticated by winbind. when I use: wbinfo -a domain\\domuser%password (my winbind separator is '\') I'll get error: plaintext password authentication succeeded challenge/response password authentication failed Could not authenticate user domain\domuser%password with challenge/response Although encrypted passwords are enabled in smb.conf I can do a su - domain\\domuser%password on unix level When I do a smbclient //server/share -U domain\\domuser%password I'll get error: Domain=[DOMAIN] OS=[Unix] Server=[Samba 2.2.3a] tree connect failed: NT_STATUS_WRONG_PASSWORD I can not connect to that server using a winbind authenticated useraccount from neither NT4sp6 nor win2ksp2. In any case I can see in the winbindd-log that the demon is enumerating SID's to GID's and UID's, but it states that the password are not encrypted. I was reading through the docs and mailings for the last two days, but I did not get the proper advice in how to get it up and running. Can anybody help Best Regards Roman Med venlig hilsen / With kind Regards Allan Nielsen Advisory IT-Specialist IBM Danmark A/S - Sortemosevej 21 - 3450 Allerød - Phone: 4523 9595 - Mobil: 23325107 - Fax: 4523 6803 - E-mail: [EMAIL PROTECTED] ---BeginMessage--- On Mon, 2002-05-13 at 11:20, [EMAIL PROTECTED] wrote: Hello Mike, I was veerrryyy interested in your work when I first saw your posting concerning winbind and the related problems when running it on more than one machine. Glad to hear it. I was begininning to think that I was the only one looking for this functionality. I therefore immediately downloaded your patch and enhancements to winbind and applied it to samba 2.2.4. But when starting winbindd I get error messages in the log.winbindd stating that the loader ld.so.1 can not find the symbol main in idmap_file.so. H... not sure about that. Could you send me the version that you compiled so that I can compare it against the one that works for me? Also, please include any modifications that you did to the makefile to get it to compile. Any idea what could be wrong? Perhaps a different compiler and/or linker contributed to the problems. I am using gcc 2.95.2 on Solaris 8. My configuration is as follows: Solaris 2.6 Samba 2.2.4 gcc et al 2.95.3 Besides the problem that winbindd, without your patch, causes trouble in an multi-machine environment I face the following problem, with and without your patch, as well: - winbindd is running - wbinfo -u -- shows all domain users - wbinfo -g -- shows all domain groups - getent passwd -- shows all, local and domain, users - getent group -- shows all, local and domain, groups - getent passwd domain+domuser -- shows passwd entry for specified domain user - wbinfo -a
AW: AW: Winbind authenticatition of user accessing a share with encry pted password.
Hi all, sorry but I am not familiar in programming. Maybe someone else could do that. The patch I have referenced did not job at least to samba 2.2.4 Best Regards Roman -Ursprüngliche Nachricht- Von: Mike Gerdts [SMTP:[EMAIL PROTECTED]] Gesendet am: Donnerstag, 27. Juni 2002 15:11 An: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; Samba Technical Mailing List Betreff: Re: AW: Winbind authenticatition of user accessing a share with encry pted password. I have not yet had the time to finish up the patch that is referred to below. If anyone else wants to move it forward, I would be more than happy. In addition to the patches at http://www.cae.wisc.edu/~gerdts/samba/ I have a private CVS repository that I would happily tar up and send to anyone that would put it up on a public CVS server. A todo list of sorts can be found at http://lists.samba.org/pipermail/samba-technical/2002-May/036877.html Mike On Thu, 2002-06-27 at 08:31, [EMAIL PROTECTED] wrote: Hi, I have not installed samba until 2.2.5 now. But there is a bug in the winbindd code which has been fixed by Mike Gerdts, see attached e-mail. I assumed that this patch, wich works for me on samba 2.2.4 solaris 2.6, has been added to the 2.2.5 release. Obviously not. Re: Samba, winbind, solaris and your patch Could you please give me feedback if this works for you an 2.2.5 also. Best Regards Roman -Ursprüngliche Nachricht- Von: Allan Nielsen [SMTP:[EMAIL PROTECTED]] Gesendet am: Donnerstag, 27. Juni 2002 09:53 An: [EMAIL PROTECTED] Betreff: Winbind authenticatition of user accessing a share with encrypted password. Hi In relation to your posted message I have exactly the same problem on samba 2.2.5. Flags used are --with-winbind --with-winbind-auth-challenge --with-acl-support. After including --with-winbind-auth-challenge it is possible to get authentication with encrypted passwords from wbinfo -a user%password but when accessing a share as this user he is mapped to nobody. Did you succeed to solve your problem? I'm using samba now for 6-7 years starting with samba 1.9.18. I have 6 machines running samba v2.0.7 under linux and solaris I have upgraded one of the solaris machines to samba 2.2.3a including acl-support and winbind. I live in a win2k forest, so my domain has a trust relationship with an other win2k domain. My domain controllers are in mixed mode. In order to get winbindd and nsswitch up and running I had to adjust the Makefile as follows: nsswitch/libnss_winbind.so: $(WINBIND_NSS_PICOBJS) @echo Linking $@ @$(SHLD) -h $@ -G -o $@ $(WINBIND_NSS_PICOBJS) $(LIBS) I added the $(LIBS) to the linker-line, without that I had errors when doing a 'ls -l' for a file which was owned by a DOMAIN+domuser account. Furthermore I had to copy the nsswitch/libnss_winbind.so as nss_winbind.so to /lib After configuring nsswitch.conf I can successfully do: wbinfo -u wbinfo -g getent passwd getent group From a NT4 or win2k-box I can modify acl an the samba-share as long as I use a useraccount which is not authenticated by winbind. when I use: wbinfo -a domain\\domuser%password (my winbind separator is '\') I'll get error: plaintext password authentication succeeded challenge/response password authentication failed Could not authenticate user domain\domuser%password with challenge/response Although encrypted passwords are enabled in smb.conf I can do a su - domain\\domuser%password on unix level When I do a smbclient //server/share -U domain\\domuser%password I'll get error: Domain=[DOMAIN] OS=[Unix] Server=[Samba 2.2.3a] tree connect failed: NT_STATUS_WRONG_PASSWORD I can not connect to that server using a winbind authenticated useraccount from neither NT4sp6 nor win2ksp2. In any case I can see in the winbindd-log that the demon is enumerating SID's to GID's and UID's, but it states that the password are not encrypted. I was reading through the docs and mailings for the last two days, but I did not get the proper advice in how to get it up and running. Can anybody help Best Regards Roman Med venlig hilsen / With kind Regards Allan Nielsen Advisory IT-Specialist IBM Danmark A/S - Sortemosevej 21 - 3450 Allerød - Phone: 4523 9595 - Mobil: 23325107 - Fax: 4523 6803 - E-mail: [EMAIL PROTECTED] From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Samba, winbind, solaris and your patch Date: 13 May 2002 19:59:46 +0200 On Mon, 2002-05-13 at 11:20, [EMAIL PROTECTED] wrote: Hello Mike, I was veerrryyy interested in your work
AW: [Fwd: smbd 2.2.4 Solaris 8 on intel (PR#24507)]
Hello, I am using for some years Samba on a Sun Enterprise 450 with 4 processors. There are only a couple of users for the samba-system an that machine, but we never faced problems. Actual version of Samba is 2.2.4 on Solaris 2.6 SPARC. I do not use: pam,acl,automount,quotas on that machine. Best Regards Roman -Ursprüngliche Nachricht- Von: Simo Sorce [SMTP:[EMAIL PROTECTED]] Gesendet am: Mittwoch, 5. Juni 2002 18:45 An: [EMAIL PROTECTED] Betreff: [Fwd: smbd 2.2.4 Solaris 8 on intel (PR#24507)] Better forward this bug to the technical list. Anyone using samba on 2 processors machine? -Forwarded Message- From: [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: smbd 2.2.4 Solaris 8 on intel (PR#24507) Date: 05 Jun 2002 09:29:30 -0700 I am not even sure how to describe this issue. We have a University labratory environment with 150 or so Windows computers that connect to our samba server. We have smbd 2.2.2 running on a Solaris 8 Sparc computer without an issue :-) We wish to move the smb services to a quad intel machine running Solaris 8. We first started with 2.2.4 compiled with the same options as on the sparc machine. Sparc options ./configure --prefix=/public/sparc/samba-2.2.2 --sysconfdir=/etc/localhost/samba-2.2.2 --with-configdir=/etc/localhost/samba-2.2.2 --with-privatedir=/etc/localhost/samba-2.2.2/private --with-lockdir=/var/run --with-pam --with-acl-support --with-quotas --with-automount But we got hundreds of Signal 11 (segmentation faults). Even the nmbd died from this. We then switched back to 2.2.2, but had the same results. After some extensive trouble shooting, it appeared to be the --with-quotas option that was causing the problem, so we recompiled 2.2.4 with the following options env CFLAGS='-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -march=i686 -O2 -funroll-loops -fexpensive-optimizations' \ CPPFLAGS='-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -march=i686 -O2 -funroll-loops -fexpensive-optimizations' \ ./configure --prefix=/package/samba-2.2.4 \ --sysconfdir=/etc/localhost/samba-2.2.4 \ --with-configdir=/etc/localhost/samba-2.2.4 \ --with-privatedir=/etc/localhost/samba-2.2.4/private \ --with-logfilebase=/var/log/samba-2.2.4 \ --with-lockdir=/var/log/samba-2.2.4/locks \ --with-piddir=/var/log/samba-2.2.4 \ --with-acl-support \ --with-automount \ --with-pam \ --sharedstatedir=/var/samba-2.2.4 With only two Win2k machines using this server, we were unable to reproduce the segmentation faults. We fineshed the configuration, and then we switched smb services to this machine. 1. stop nmbd on current server 2. start smbd on new server 3. start nmbd on new server As clients connect to the netbios name, they gradually learn of the new server. The connections to the old server taper off, and the connections to the new server start to build. Almost immediately, the logs include the segmentation fault error message (signal 11). Incidentally, compiling without any CFLAGS, CPPFLAGS does not make any difference to this problem, nor does using Suns supplied gcc with the Sun as/ld or if we use gcc3.0.4 with gnu as/ld. I have a level 3 logs at http://remora.csc.uvic.ca/smbbug/c-oswego.log http://remora.csc.uvic.ca/smbbug/c-cooper.log http://remora.csc.uvic.ca/smbbug/smb.conf Any assistance/test we can do to help out is of course available. thanks, -- Evan Rempel [EMAIL PROTECTED] 250.721.8296 Senior Programmer Analyst University of Victoria -- Simo Sorce -- Una scelta di liberta': Software Libero. A choice of freedom: Free Software. http://www.softwarelibero.it
[SUCCESS] RE: Samba, winbind, solaris and your patch
Hello Mike, in the end it works. I applied your patch to winbind, although it seemed to be applied while I compiled your idmap_files.so. compiled and installed nss_winbind.so restarted nscd restarted winbind and NOW I can connect to that machine from explorer, set my acl's using the uid provided from winbind etc... As you asked for, find attached the compiled idmap_files.so stuff which does not work on my machine. Best Regards Thanks again Roman idmap_file.tar.gz -Ursprüngliche Nachricht- Von: Mike Gerdts [SMTP:[EMAIL PROTECTED]] Gesendet am: Montag, 13. Mai 2002 20:00 An: [EMAIL PROTECTED] Betreff: Re: Samba, winbind, solaris and your patch On Mon, 2002-05-13 at 11:20, [EMAIL PROTECTED] wrote: Hello Mike, I was veerrryyy interested in your work when I first saw your posting concerning winbind and the related problems when running it on more than one machine. Glad to hear it. I was begininning to think that I was the only one looking for this functionality. I therefore immediately downloaded your patch and enhancements to winbind and applied it to samba 2.2.4. But when starting winbindd I get error messages in the log.winbindd stating that the loader ld.so.1 can not find the symbol main in idmap_file.so. H... not sure about that. Could you send me the version that you compiled so that I can compare it against the one that works for me? Also, please include any modifications that you did to the makefile to get it to compile. Any idea what could be wrong? Perhaps a different compiler and/or linker contributed to the problems. I am using gcc 2.95.2 on Solaris 8. My configuration is as follows: Solaris 2.6 Samba 2.2.4 gcc et al 2.95.3 Besides the problem that winbindd, without your patch, causes trouble in an multi-machine environment I face the following problem, with and without your patch, as well: - winbindd is running - wbinfo -u -- shows all domain users - wbinfo -g -- shows all domain groups - getent passwd -- shows all, local and domain, users - getent group -- shows all, local and domain, groups - getent passwd domain+domuser -- shows passwd entry for specified domain user - wbinfo -a domain+domuser%passwd -- both authentication methods succeed - when install pam_winbind -- login to solaris as domain+domuser and domain-passwd works BUT connecting from an windows-box in explorer to a share on that winbind-machine is not working. I tried to track it down and I think I found out that when winbind tries to call the solaris function 'getpwnam' that function returns a null-pointer. This is likely the bug related to the passwd structure on Solaris having pw_age and pw_comment fields. See http://lists.samba.org/pipermail/samba-technical/2002-May/036614.html for details. If you didn't remove that part from my patch, you should be protected from this bug. You may want to take a look at source/lib/system.c. In wsys_getpwnam() there is another function that copies the passwd structure (wsys_getpwnam). It looks as though it is not called by anything, but perhaps I am missing some funky macro or define that comes out of configure somewhere. If there is another problem, I am not sure where exactly it would be at. The bug I found was quite difficult to find until I recompiled nscd with debugging symbols. Unfortunately, that is not an option for most people, especially with Solaris 2.6. AFAIK, Sun only gave the Solaris 2.5.1, 2.6, and 7 code to univerisities. The only Sun source that I have access to for debugging things like this is Solaris 8. I assume from your postings that you are familiar with c, solaris and have a running winbind environment. I have tried minimal functionality of winbindd. I do not want to use the winbind PAM module because UNIX users should authenticate against NIS. getent passwd domain\\user and getent passwd uid work just fine. Exporer on NT4 and Win2k is able to create files and display ACLs consistent with what I expect, given the U/GIDs assigned by winbindd. ls and getfacl concur with the results that Windows explorer show. Also, I explorer on Windows 98 is able to create directories just fine (that is all I tried from 98). Any idea what causes that problem, when I posted this problem to the samba-technical mailing list no one was responding except some other usesrs facing the same problem. Can you contribute in any matter to this problems? Would be veeerrr helpful. Thanks in advance and best regards Roman If you don't have a reason for not Cc'ing the list, please do so in the future so that others can benefit from your question and my response. It helps the samba team know that there is more than one person that would like this functionality and they are more likely to include it in future releases. Please let me know if this does or
